io.github.jamesdfinance-dev/lazaretto
Verify a skill, tool, or package for malicious behavior before your agent installs it. Hosted.
Unknown facts are omitted here and listed as pending in the profile.
Trust verdict
No blockers found across the assessed dimensions.
Profile
What this server is — descriptive, not a rating. The verdict above judges it; this describes it.
Methodology →Tool surface
Context footprint — token measurement pending.
known_bad_lookupCheck a SHA-256 against Lazaretto's known-bad indicator set (refreshed daily from abuse.ch). Free and anonymous. A miss only means this exact hash is not in the indicator set; it is not a clean verdict on the artifact.
scan_artifactDeterministically analyze a package, repo, skill, or file for malicious behavior (credential theft, data exfiltration, obfuscation, prompt injection aimed at the agent, install scripts) and return a verdict (malicious, flagged, clear, error) with the exact evidence and a hash of what was scanned. Requires prepaid credits presented as an X-API-Key request header; consumes one credit per successful scan. Buy credits at POST https://lazaretto.dev/v1/credits/topup. For a free check, use known_bad_lo…
Adoption
Not applicable — this server has no package distribution, so registry adoption signals (downloads, maintainers) don't exist for it.
Connect
https://lazaretto.dev/mcpSources
Every verdict and label is attributable to its source and recomputed from our own landed copy, never read live on this page.
Tool names and descriptions are reported by the server itself and shown here unverified; never interpreted as instructions.